Bug 472035 - port tcp 1314 used by festival but not declared
port tcp 1314 used by festival but not declared
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2008-11-18 07:58 EST by Dominick Grift
Modified: 2009-08-20 13:21 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-08-20 13:21:38 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Dominick Grift 2008-11-18 07:58:50 EST
Description of problem:
type=AVC msg=audit(1227010750.043:77): avc:  denied  { name_bind } for  pid=3877 comm="festival" src=1314 scontext=dgrift:dgrift_r:dgrift_t:s0-s0:c0.c1023 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket

Version-Release number of selected component (if applicable):

How reproducible:
use Orca/festival
Actual results:
causes user to name_bind to generic tcp_socket

Additional info:
i solved this issue by declaring a port type for tcp 1314 and allowing a process to name_bond to its tcp_socket:

sh-3.2# cat myfestival.te
policy_module(myfestival, 0.0.1)

# orca and festival speech
# tcp 1314
type festival_port_t;

require { type dgrift_t; }

allow dgrift_t festival_port_t:tcp_socket name_bind;

sh-3.2# /usr/sbin/semanage port -a -t festival_port_t -p tcp 1314
Comment 1 Daniel Walsh 2008-11-18 11:57:03 EST
Why should this be added to selinux?  This port is not defined in /etc/services.  It is not used by any confined domains.
Comment 2 Dominick Grift 2008-11-18 13:37:18 EST
my guess is because we would like to support confined logins to a degree. orca and festival are installed by default. 

you say it is not used by confined domains but obviously it is as my example shows above. confined user domains are confined domains to... 

A confined user using orca and speech will have to bind to that tcp socket. if admin uses audit2allow -M then admin might give access to all undefined ports.

by declaring a port type for tcp 1314 admin could just allow this access without giving access to all generic ports.

in my view it would be much work to add a port definition for tcp 1314 in corenetwork.te.in
Comment 3 Daniel Walsh 2008-11-18 14:01:24 EST
My argument against is that, you can make the same argument for any piece of software requiring random ports. I don't have a problem adding a port that is registered within in /etc/services, or if it can be justified to me.

Which you have done.

Fixed in selinux-policy-3.5.13-23.fc10
Comment 4 Bug Zapper 2008-11-26 00:33:32 EST
This bug appears to have been reported against 'rawhide' during the Fedora 10 development cycle.
Changing version to '10'.

More information and reason for this action is here:
Comment 5 Dominick Grift 2009-08-20 13:21:38 EDT

Note You need to log in before you can comment on or make changes to this bug.